CVE-2022-27305: 
NixOS vulnerability analysis and mitigation

A session fixation vulnerability was identified in Gibbon Core, affecting all versions prior to v23.0.02. The vulnerability was discovered in March 2022 and was assigned CVE-2022-27305. Gibbon v23 did not generate a new session ID cookie after user authentication, making the application vulnerable to session fixation attacks (GitHub Advisory).

The vulnerability is classified as CWE-384 (Session Fixation) with a Moderate severity rating. The core issue lies in the application's failure to generate new session ID cookies post-authentication, which could potentially allow attackers to exploit user sessions (GitHub Advisory).

While there was no evidence of exploitation in the wild, the vulnerability posed a significant security risk that warranted immediate attention from system administrators. The issue affected all versions of Gibbon Core prior to version 23.0.02 (GitHub Advisory).

The vulnerability was patched in Gibbon v23.0.02 release (Ga Yau Security Update). For installations unable to update to the latest version, patches were provided for v22.0.01 and v21.0.01, which could be applied by replacing the login.php file in the Gibbon root directory. Systems running the cutting edge code were advised to update to the latest commit of v24.0.00 (GitHub Advisory).

The security researcher Kole Swesey was acknowledged for responsibly disclosing the vulnerability to the Gibbon team. The team collaborated with the researcher to verify the fix and followed responsible disclosure practices (GitHub Advisory).